Unsupported Xen Project 4.4 series


Xen Project 4.4.0

Release Information

The Xen Project 4.4 release incorporates many new features and improvements to existing features.


For Xen Project 4.4 documentation see

Contribution Acknowledgements

For a breakdown of contributions to Xen 4.4 check out the Xen Project 4.4 Acknowledgements.

Xen Project 4.4.1

We are pleased to announce the release of Xen 4.4.1. This is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4 (tag RELEASE-4.4.1)

This release fixes the following critical vulnerabilities:

  • CVE-2014-2599 / XSA-89 HVMOP_set_mem_access is not preemptible
  • CVE-2014-3125 / XSA-91 Hardware timer context is not properly context switched on ARM
  • CVE-2014-3124 / XSA-92 HVMOP_set_mem_type allows invalid P2M entries to be created
  • CVE-2014-2915 / XSA-93 Hardware features unintentionally exposed to guests on ARM
  • CVE-2014-2986 / XSA-94 ARM hypervisor crash on guest interrupt controller access
  • CVE-2014-3714,CVE-2014-3715,CVE-2014-3716,CVE-2014-3717 / XSA-95 input handling vulnerabilities loading guest kernel on ARM
  • CVE-2014-3967,CVE-2014-3968 / XSA-96 Vulnerabilities in HVM MSI injection
  • CVE-2014-3969 / XSA-98 insufficient permissions checks accessing guest memory on ARM
  • CVE-2014-4021 / XSA-100 Hypervisor heap contents leaked to guests
  • CVE-2014-4022 / XSA-101 information leak via gnttab_setup_table on ARM
  • CVE-2014-5147 / XSA-102 Flaws in handling traps from 32-bit userspace on 64-bit ARM
  • CVE-2014-5148 / XSA-103 Flaw in handling unknown system register access from 64-bit userspace on ARM Additionally a workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) has been put in place. However, at this point we can't guarantee that all affected chipsets are being covered; Intel is working diligently on providing us with a complete list. Apart from those there are many further bug fixes and improvements.

We recommend all users of the 4.4 stable series to update to this first point release.

Xen Project 4.4.2

We are pleased to announce the release of Xen 4.4.2. This is available immediately from its git repository

http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4 (tag RELEASE-4.4.2) or from this download page

This fixes the following critical vulnerabilities:

  • CVE-2014-5146, CVE-2014-5149 / XSA-97: Long latency virtual-mmu operations are not preemptible
  • CVE-2014-7154 / XSA-104: Race condition in HVMOP_track_dirty_vram
  • CVE-2014-7155 / XSA-105: Missing privilege level checks in x86 HLT, LGDT, LIDT, and LMSW emulation
  • CVE-2014-7156 / XSA-106: Missing privilege level checks in x86 emulation of software interrupts
  • CVE-2014-6268 / XSA-107: Mishandling of uninitialised FIFO-based event channel control blocks
  • CVE-2014-7188 / XSA-108: Improper MSR range used for x2APIC emulation
  • CVE-2014-8594 / XSA-109: Insufficient restrictions on certain MMU update hypercalls
  • CVE-2014-8595 / XSA-110: Missing privilege level checks in x86 emulation of far branches
  • CVE-2014-8866 / XSA-111: Excessive checking in compatibility mode hypercall argument translation
  • CVE-2014-8867 / XSA-112: Insufficient bounding of "REP MOVS" to MMIO emulated inside the hypervisor
  • CVE-2014-9030 / XSA-113: Guest effectable page reference leak in MMU_MACHPHYS_UPDATE handling
  • CVE-2014-9065, CVE-2014-9066 / XSA-114: p2m lock starvation
  • CVE-2015-0361 / XSA-116: xen crash due to use after free on hvm guest teardown
  • CVE-2015-1563 / XSA-118: arm: vgic: incorrect rate limiting of guest triggered logging
  • CVE-2015-2152 / XSA-119: HVM qemu unexpectedly enabling emulated VGA graphics backends
  • CVE-2015-2044 / XSA-121: Information leak via internal x86 system device emulation
  • CVE-2015-2045 / XSA-122: Information leak through version information hypercall
  • CVE-2015-2151 / XSA-123: Hypervisor memory corruption due to x86 emulator flaw

Additionally a bug in the fix for CVE-2014-3969 / CVE-2015-2290 / XSA-98 (which got assigned CVE-2015-2290) got addressed.

Sadly the workaround for CVE-2013-3495 / XSA-59 (Intel VT-d Interrupt Remapping engines can be evaded by native NMI interrupts) still can't be guaranteed to cover all affected chipsets; Intel continues to be working on providing us with a complete list.

Apart from those there are many further bug fixes and improvements.

We recommend all users of the 4.4 stable series to update to this first point release.

Xen Project 4.4.3

We are pleased to announce the release of Xen 4.4.3. This is available immediately from its git repository 

http://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4 (tag RELEASE-4.4.3) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 27b82b0: update Xen version to 4.4.3 [Jan Beulich]
  • 3646b13: libxl: poll: Avoid fd deregistration race POLLNVAL crash [Ian Jackson]
  • 0348c45: libxl: poll: Use poller_get and poller_put for poller_app [Ian Jackson]
  • 900c797: libxl: poll: Make libxl__poller_get have only one success return path [Ian Jackson]
  • 1749add: tools: libxl: Handle failure to create qemu dm logfile [Ian Campbell]
  • ca0f468: libxl: In libxl_set_vcpuonline check for maximum number of VCPUs against the cpumap. [Konrad Rzeszutek Wilk]
  • 3e9054c: docs: workaround markdown parser error in xen-command-line.markdown [Ian Campbell]
  • 214fd40: xl: Sane handling of extra config file arguments [Ian Jackson]
  • 2b08c5c: QEMU_TAG update [Ian Jackson]
  • d273ce7: dmar: device scope mem leak fix [Elena Ufimtseva]
  • 1eda7e5: make rangeset_report_ranges() report all ranges [Jan Beulich]
  • d55922f: xen: earlycpio: Pull in latest linux earlycpio.[ch] [Ian Campbell]
  • d4ee871: x86/hvmloader: avoid data corruption with xenstore reads/writes [Andrew Cooper]
  • 4ee998c: credit1: properly deal with pCPUs not in any cpupool [Dario Faggioli]
  • 7ee0f1a: x86 / cpupool: clear the proper cpu_valid bit on pCPU teardown [Dario Faggioli]
  • cc87ed9: x86/p2m-ept: don't unmap the EPT pagetable while it is still in use [Andrew Cooper]
  • f51089d: nested EPT: fix the handling of nested EPT [Liang Li]
  • 33eba76: x86/traps: avoid using current too early on boot [Andrew Cooper]
  • 04667d6: x86: avoid tripping watchdog when constructing dom0 [Ross Lagerwall]
  • ea019a8: x86/EFI: adjust EFI_MEMORY_WP handling for spec version 2.5 [Jan Beulich]
  • b51d47e: kexec: add more pages to v1 environment [Jan Beulich]
  • f38be14: passthrough/amd: avoid reading an uninitialized variable [Tim Deegan]
  • fb9fdb0: x86/traps: identify the vcpu in context when dumping registers [Andrew Cooper]
  • 36c53c2: update Xen version to 4.4.3-rc1 [Jan Beulich]
  • 6c1cb3d: tools/libxc: Fix build of 32bit toolstacks on CentOS 5.x following XSA-125 [Andrew Cooper]
  • 7062ac6: Revert "tools/libxc: Fix build of 32bit toolstacks on CentOS 5.x following XSA-125" [Ian Jackson]
  • dfed6d9: libxl: event handling: ao_inprogress does waits while reports outstanding [Ian Jackson]
  • ba68310: libxl: event handling: Break out ao_work_outstanding [Ian Jackson]
  • a2895ef: tools/libxc: Fix build of 32bit toolstacks on CentOS 5.x following XSA-125 [Andrew Cooper]
  • a490f8d: tools/xenconsoled: Increase file descriptor limit [Andrew Cooper]
  • c669c24: ocaml/xenctrl: Fix stub_xc_readconsolering() [Andrew Cooper]
  • 9702e08: ocaml/xenctrl: Make failwith_xc() thread safe [Andrew Cooper]
  • 10a9553: ocaml/xenctrl: Check return values from hypercalls [Andrew Cooper]
  • 13623d5: libxl: In domain death search, start search at first domid we want [Ian Jackson]
  • 4b63c53: QEMU_TAG update [Ian Jackson]
  • c756224: xen/arm: Call context_saved() with interrupts enabled during context switch [denys drozdov]
  • de53397: cpupool: fix shutdown with cpupools with different schedulers [Dario Faggioli]
  • 472bdfe: libelf: fix elf_parse_bsdsyms call [Roger Pau Monné]
  • 726dd5a: VT-d: extend quirks to newer desktop chipsets [Jan Beulich]
  • d108622: EFI: support default attributes to map Runtime service areas with none given [Konrad Rzeszutek Wilk]
  • 1f29e20: EFI/early: add /mapbs to map EfiBootServices{Code,Data} [Konrad Rzeszutek Wilk]
  • a7c37b2: x86/EFI: fix EFI_MEMORY_WP handling [Jan Beulich]
  • e50f047: efi: avoid calling boot services after ExitBootServices() [Ross Lagerwall]
  • cd98a75: x86/VPMU: add lost Intel processor [Alan Robinson]
  • d568854: x86/crash: don't use set_fixmap() in the crash path [Andrew Cooper]
  • ab1cc71: x86/apic: Disable the LAPIC later in smp_send_stop() [Andrew Cooper]
  • 6ed66bf: efi: fix allocation problems if ExitBootServices() fails [Ross Lagerwall]
  • c76aeb5: x86: don't crash when mapping a page using EFI runtime page tables [Ross Lagerwall]
  • 7140a69: x86/pvh: disable posted interrupts [Roger Pau Monné]
  • 2691b20: x86: don't unconditionally touch the hvm_domain union during domain construction [Andrew Cooper]
  • 34b61e9: x86/EFI: keep EFI runtime services top level page tables up-to-date [Jan Beulich]
  • adee062: cpupools: avoid crashing if shutting down with free CPUs [Dario Faggioli]
  • 5d660a9: cpupool: assigning a CPU to a pool can fail [Dario Faggioli]
  • 05ab771: x86/traps: loop in the correct direction in compat_iret() [Andrew Cooper]
  • bcfa8d6: gnttab: add missing version check to GNTTABOP_swap_grant_ref handling [Jan Beulich]
  • dc34ce4: QEMU_TAG update [Ian Jackson]
  • 5624637: QEMU_TAG update [Ian Jackson]
  • 2260598: x86: don't clear high 32 bits of RAX on sub-word guest I/O port reads [Jan Beulich]
  • 6cd44b0: x86_emulate: fix EFLAGS setting of CMPXCHG emulation [Eugene Korenevsky]
  • 21a06bf: x86/efi: reserve SMBIOS table region when EFI booting [Ross Lagerwall]
  • 718f183: x86: don't change affinity with interrupt unmasked [Jan Beulich]
  • cb296dd: x86_emulate: split the {reg,mem} union in struct operand [Tim Deegan]
  • 19ae8c1: VT-d: improve fault info logging [Jan Beulich]
  • 8f2d240: x86/MSI: fix error handling [Jan Beulich]
  • ce516e8: LZ4 : fix the data abort issue [JeHyeon Yeon]
  • 1af1095: hvmloader: don't treat ROM BAR like other BARs [Jan Beulich]
  • 5fea6a3: QEMU_UPSTREAM_REVISION = master again [Stefano Stabellini]
  • 5365c7b: domctl/sysctl: don't leak hypervisor stack to toolstacks [Andrew Cooper]
  • 6b09a29: domctl: don't allow a toolstack domain to call domain_pause() on itself [Andrew Cooper]
  • 518ae14: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) [Konrad Rzeszutek Wilk]
  • 491b55d: QEMU_TAG update [Ian Jackson]
  • fc6fe18: x86: don't apply reboot quirks if reboot set by user [Ross Lagerwall]
  • 77da6c2: Revert "cpupools: update domU's node-affinity on the cpupool_unassign_cpu() path" [Jan Beulich]
  • 42b446e: x86/EFI: allow reboot= overrides when running under EFI [Konrad Rzeszutek Wilk]
  • 21a97a7: EFI: fix getting EFI variable list on some systems [Ross Lagerwall]
  • b39e48d: VT-d: print_vtd_entries() should cope with superpages [Jan Beulich]
  • 4a49a29: honor MEMF_no_refcount in alloc_heap_pages() [Jan Beulich]
  • c0577ae: update Xen version to 4.4.3-pre [Jan Beulich]

In addition, this release also contains the following fixes to qemu-traditional:

  • 30c002b: ide: Clear DRQ after handling all expected accesses [Kevin Wolf]
  • eb74574: ide: Check array bounds before writing to io_buffer (CVE-2015-5154) [Kevin Wolf]
  • fd5c041: pcnet: force the buffer access to be in bounds during tx [Petr Matousek]
  • 8d15b64: pcnet: fix Negative array index read [Gonglei]
  • 5fabc18: xen/pt: unknown PCI config space fields should be read-only [Jan Beulich]
  • 755f99f: xen/pt: add a few PCI config space field descriptions [Jan Beulich]
  • 5c74b77: xen/pt: mark reserved bits in PCI config space fields [Jan Beulich]
  • 65e39c8: xen/pt: mark all PCIe capability bits read-only [Jan Beulich]
  • dd37ad7: xen/pt: split out calculation of throughable mask in PCI config space handling [Jan Beulich]
  • 903ee00: xen/pt: correctly handle PM status bit [Jan Beulich]
  • cdad723: xen/pt: consolidate PM capability emu_mask [Jan Beulich]
  • 2736dd5: xen/MSI: don't open-code pass-through of enable bit modifications [Jan Beulich]
  • 6d7cdb1: xen/MSI-X: disable logging by default [Jan Beulich]
  • 1e2a2be: xen: don't allow guest to control MSI mask register [Jan Beulich]
  • b0101be: xen: properly gate host writes of modified PCI CFG contents [Jan Beulich]
  • c8c6ba0: fdc: force the fifo access to be in bounds of the allocated buffer [Petr Matousek]
  • a03c5a7: xen: limit guest control of PCI command register [Jan Beulich]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check http://xenbits.xen.org/gitweb/?p=staging/qemu-upstream-4.4-testing.git;a=shortlog (between tags qemu-xen-4.4.2 and qemu-xen-4.4.3).

The fixes listed above also include security fixes for XSA-125 to XSA-139. The fix for XSA-140 has been applied to qemu-upstream, but has not been applied to qemu-traditional. See http://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.4 stable series to update to this latest point release.